Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 717054 - <app-text/recode-3.7.6: Multiple vulnerabilities
Summary: <app-text/recode-3.7.6: Multiple vulnerabilities
Status: IN_PROGRESS
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/rrthomas/recode/co...
Whiteboard: B3 [noglsa cleanup]
Keywords: CC-ARCHES, PullRequest
Depends on:
Blocks:
 
Reported: 2020-04-11 11:29 UTC by David Heidelberg (okias)
Modified: 2020-09-14 06:11 UTC (History)
3 users (show)

See Also:
Package list:
app-text/recode-3.7.6-r1
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Heidelberg (okias) 2020-04-11 11:29:35 UTC
Possible security issue (blame points 12 years ago, so probably also recode 3.6 affected).

https://github.com/rrthomas/recode/commit/3e566ca4b17814de8bc100e3edadbed6e539874f

Pull request will follow:

Reproducible: Always
Comment 1 David Heidelberg (okias) 2020-05-11 14:43:32 UTC
Please confirm.

https://repology.org/project/recode/versions#gentoo
Comment 2 Sam James archtester gentoo-dev Security 2020-05-11 15:46:56 UTC
I'd missed this, sorry. In future, try do something like this:
* File version bump bug (if you want, this is optional)
* File bug in Security > Vulnerabilities (with a description of the bug in the title, if you want to be nice)

---
@maintainer(s), please apply provided patch / bump to 3.7.6.
Comment 3 David Heidelberg (okias) 2020-05-11 16:08:47 UTC
TESTS: Summary: 486 good tests in 4.60 seconds.

test and BDEPS fix coming into PR in few minutes.
Comment 4 David Heidelberg (okias) 2020-05-12 08:52:37 UTC
Please BUMP mentioned PR.
https://github.com/gentoo/gentoo/pull/15304 (most likely non maintainer bump needed)
Comment 5 Larry the Git Cow gentoo-dev 2020-05-15 10:15:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cc9da233f44c2bcce96b01e364123b8fbc26be8e

commit cc9da233f44c2bcce96b01e364123b8fbc26be8e
Author:     David Heidelberg <david@ixit.cz>
AuthorDate: 2020-04-11 11:29:38 +0000
Commit:     Joonas Niilola <juippis@gentoo.org>
CommitDate: 2020-05-15 10:15:45 +0000

    app-text/recode: bump to 3.7.6
    
    - bump to EAPI 7
    - switch to BDEPEND
    - tests are working now
    
    Bug: https://bugs.gentoo.org/717054
    
    Signed-off-by: David Heidelberg <david@ixit.cz>
    Signed-off-by: Joonas Niilola <juippis@gentoo.org>

 app-text/recode/Manifest            |  1 +
 app-text/recode/recode-3.7.6.ebuild | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
Comment 6 Sam James archtester gentoo-dev Security 2020-07-23 13:19:02 UTC
Please let us know if ready to stable yet.
Comment 7 NATTkA bot gentoo-dev 2020-07-23 13:21:19 UTC
Unable to check for sanity:

> no match for package: app-text/recode-3.7.6
Comment 8 NATTkA bot gentoo-dev 2020-07-23 13:25:07 UTC
All sanity-check issues have been resolved
Comment 9 Sam James archtester gentoo-dev Security 2020-07-27 02:46:25 UTC
Let's go for it.
Comment 10 Sam James archtester gentoo-dev Security 2020-07-27 03:50:55 UTC
arm stable
Comment 11 Sam James archtester gentoo-dev Security 2020-07-27 13:55:18 UTC
arm64 stable
Comment 12 Sam James archtester gentoo-dev Security 2020-07-27 13:57:53 UTC
amd64 stable
Comment 13 Sam James archtester gentoo-dev Security 2020-07-27 17:32:41 UTC
x86 stable
Comment 14 Sam James archtester gentoo-dev Security 2020-07-29 16:23:20 UTC
ppc64 stable
Comment 15 Sam James archtester gentoo-dev Security 2020-07-29 16:24:50 UTC
ppc stable
Comment 16 Rolf Eike Beer 2020-07-29 17:34:48 UTC
hppa stable
Comment 17 Sam James archtester gentoo-dev Security 2020-07-29 18:40:42 UTC
sparc stable. Please cleanup.
Comment 18 Sam James archtester gentoo-dev Security 2020-07-30 03:29:28 UTC
okias, it looks like there's an issue from dropping multilib in the bump:
app-i18n/enca/enca-1.19-r2.ebuild:      recode? ( app-text/recode:0=[${MULTILIB_USEDEP}] )

This is blocking cleanup of the old version (and indeed means users who have enca[recode] will be stuck with the old version).

I guess we need to restore it, or drop USE=recode from enca.
Comment 19 Thomas Deutschmann gentoo-dev Security 2020-09-13 22:10:09 UTC
GLSA Vote: No!